Re: fail2ban problem
Jerry Stuckle <jstuckle@attglobal.net> wrote:
> I decided to try a fail2ban rule, but I can't get it to work.
> failregex = <HOST> .*"GET|POST|HEAD /.*phpMy.* HTTPS?/.*" 404 [0-9]{1,6}
> This should match something like:
> 10.0.0.1 - - [31/Dec/2012:11:40:02 -0500] "GET /phpBB2/ HTTP/1.1" 404 3308
> However, it also seems to match ones like:
> 10.0.0.1 - - [31/Dec/2012:11:41:44 -0500] "GET / HTTP/1.1" 200 5668
It's the GET|POST|HEAD part that isn't parsing as you'd expect. What
the RE is compiling down to is any one of the following:
<HOST> .*"GET
POST
HEAD /.*phpMy.* HTTPS?/.*" 404 [0-9]{1,6}
Solution is to put brackets (...) around the GET|POST|HEAD part:
failregex = <HOST> .*"(GET|POST|HEAD) /.*phpMy.* HTTPS?/.*" 404 [0-9]{1,6}
Oh, I'm not sure you want two spaces before the HTTPS? component.
Chris
Reply to: